ClawHub

Evomind

Security checks across malware telemetry and agentic risk

Overview

EvoMind is a local SQLite memory tool whose persistence and deletion features match its stated agent-memory purpose, though users should avoid storing secrets unless they are comfortable retaining them locally.

Install only if you want a local persistent agent memory database. Do not store passwords, API keys, private prompts, or personal data unless you are comfortable keeping them in a local SQLite file; consider using a custom db_path, backups, and manual review before calling deletion commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly promotes cross-session persistent memory and skill storage, but provides no warning that user inputs, environment details, or saved skills may contain sensitive data that will remain on disk. In an agent context, this increases the risk of unintended retention, later disclosure, or reuse of secrets and personal data across sessions, especially because the feature is framed as production-ready and directly installable.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The module persistently stores arbitrary user-provided memories and skill content in a local SQLite database without any notice, consent flow, or safeguards around sensitive data handling. In an agent memory system, this increases the risk that secrets, personal data, or proprietary prompts are silently retained on disk and later exposed through local compromise, backups, or unintended reuse.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The forget and forget_all operations irreversibly delete stored memory entries without any confirmation, soft-delete, or warning, making accidental or unauthorized destructive actions easy. In a persistent memory component used by agents, this can cause loss of important state, auditability, and recovery capability if invoked mistakenly or by a compromised caller.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
skill_delete permanently removes stored skill definitions without any confirmation or warning, so a mistaken call or hostile use of the API can erase reusable procedural knowledge. Because this component is designed as a persistent agent skill store, deletion directly affects agent behavior and recoverability, and there is no built-in backup or rollback path.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal